I’ve been sitting in some vendor presentations lately–I think they invite me along so I can be the resident curmudgeon–and I’m starting to get a good feel for what both the government and myself want in a product.

I want to know how a tool fits into my IA framework. That framework for me is NIST SP 800-53. One side effect of 800-53 is that I can’t justify a product “just because”–I have to state how this tool or service will help me attain “compliance” with the minimum baseline of security controls. It’s not enough anymore to just say “hey, our product helps you with SP 800-53 controls, have some magic FISMA Fairy Dust“.

Advice for vendors: take the day of effort to provide a traceability matrix for me. What I have is a Plan of Actions and Milestones (POA&M) that requires me to implement the following controls:

• AC-11 Session Lock
• AC-12 Session Termination

Now what I want is for your product to say the following:

• AC-11: Our product locks out users after 15 minutes of activity on their Frobulator workstation.
• AC-12: Our product terminates users after 25 minutes of activity on their Frobulator workstation.

If your product doesn’t do a control, don’t mention it. But by all means get somebody who routinely works with the catalog of controls to determine if you meet the control objective: there’s nothing I hate more than trying to understand how somebody stretched their interpretation of control objectives that I now have to turn around and rationalize to an auditor. It’s OK if your product doesn’t do everything as long as it does the right things.

Now the reason I bring all this up is that I, too, am a vendor–a services/outsourcing vendor. I’m taking the time this week to do my own traceability matrix that says something like this:

• For the Basic Hosting Service, these are the controls that you get (mostly Physical and Environmental Protection (PE) and Media Protection (MP) )
• For the IDS Monitoring and Management Service, these are the controls that you get (mostly Audit (AU) controls with a smattering of Incident Response (IR) controls)
• For the Network Monitoring and Management Services, these are the controls that you get (hardly any except for availability monitoring)
• This is what we provide for support when you do a risk assessment or certification and accreditation
• Some controls are Inherent Government Functions (IGF) and cannot be outsourced to us such as FIPS-199 categorization and risk acceptance

The whole idea is to delineate the responsibilities for pre-sales work so that when somebody contracts with us, they know the Government’s responsibilities, our Project Management Office’s (PMO’s) responsibilities, and my operations group’s responsibilities. It’s going back to the nature of outsourcing and the fact that transparency is key.

• Categories of Security Controls in Outsourcing
• How I Do the “FISMA Thang”
• You Didn’t Outsource Your Responsibilities
• Keys to the Outsourcing Kingdom
• Reinventing FedRAMP

I helped give our auditors from the Defense Contract Audit Agency (DCAA) some education on how managed services work. We did the usual presentation–who the building tenants are, what takes place in the various floors, and what services we offer.

In case you’re not familiar with DCAA, the basic rundown is that they are the financial auditors for government contracts.  They look at your numbers and try to detect how and where you are committing financial fraud.  In our case, we have distinct service descriptions and a set of financial and operational metrics to support  the numbers (ie, each server requires 1 hour per month on average to do patching and fix outages, so the cost to us is $100, add your markup and that’s the cost per month to monitor and manage a device).

This is risk management through education for us.  When you have auditors who don’t understand why an IT operations shop would need 13K gallons of diesel fuel (I thought you did IT?), the least you can do is to educate them.

• Combatting Tool Creep
• NIST and SCAP; Busting a cap on intruders Part 1
• Reinventing FedRAMP
• Rebuilding C&A
• Guerilla CISO Tip: Get Inside the Data Center

I had dinner with Joe last night, and I thought I would add a little bit of fuel on his personal vendetta to rid the world of the concept of “SBU”–Sensitive But Unclassified. Let’s just say that I’m an anti-SBU sympathizer. =)

“SBU” is a pseudo-classification used by the government to say that a bit of information is unclassified but still needs to be protected.

The biggest question is, does the US Government have any data that is unsensitive in any way? Usually not. I’m trying to think of something, and I am drawing a complete blank, unless we want to talk about orders for new black Skilcraft ballpoints and Simple Green. But then again, there’s probably a purchase order involved which probably is sensitive in some way.  You could even extrapolate a traffic analysis attack using the quantity of pens ordered to determine how many people work at a specific place (not as effective as using the volume of pizza ordered by the Pentagon during planning for a troop surge as an indicator of pending missions), but when I start to go down that road I put on the tinfoil hat and the thoughts go away. =)

DODD 8500.1 defines SBU as “A term commonly and inappropriately used within the Department of Defense as a synonym for Sensitive Information, which is the preferred term.” Then there is a lengthy definition for Sensitive Information which you can go look up yourself.

Seriously, though, the last thing we need is for people to be making up their own classifications without official limits on what you can and can’t do with it. If you can’t mark it on a document and have people know what the marking means, then it’s not an effective classification. I think SBU meets this description, and that’s why it must die.

We have a classification, it’s called “For Official Use Only”. Use it, folks! =)

• The World Asks: is S.773 Censorship?
• Indicator Species
• Towards Actionable Metrics
• It’s All About Common Controls!
• Been Off Teaching

Zombie Survival

It’s almost like the real thing–you simple cannot pump enough shots into these zombies to keep them from sucking out your brains.

• Wednesday Zombie Post–The Zen of Zombie
• Wednesday Zombie Post–Zombie Survival And Defense Wiki
• Wednesday Zombie Post–Zombies on Uncyclopedia
• Wednesday Zombie Post–The Federal Vampire and Zombie Agency
• Wednesday Zombie Post–Ethical Zombies

So far I’ve been avoiding mentioning his now-infamous Vista 6-Month Vulnerability Report blog posting because well, it doesn’t really matter to me what he thinks, and any boss that makes a decision solely on this study needs to have a visit from the giant foam cluebat.   =)

But it’s been over a month–the post was published June 21st–and he’s still getting half a dozen comments per day.  I have to respect anybody that can harness that much hate in such a short period of time and still keep coming to work every day.

• Introducing the NoVa InfoSec Portal
• Friday Subversive Music–Nina Hagen
• Does Good, Cheap Colocation Still Exist?
• Targeted Spam
• Turning Routers into Firewalls

OK, somebody out there has a use for something as twisted as this.

http://www.anthea2.freeuk.com/carminaburana/

• An Informal Study on the Literacy Level of Security Blogs–We All Get Pwned by Amrit
• FISMA Grades Using DHS Coding System
• Create Your Own Apple Rumors
• Life Behind “The Great Big NAT in the Sky”
• A Day in the Life of the Feedmaster